AIDE : Intrusion Detection Environment

this article about Intrusion Detection for file system changes like modification changing owner extra, for critical files or directories in our environment

we using a software called AIDE

Advanced Intrusion Detections Environment
this software base on a library called mhash this lib used to calculate file hashes
and AIDE save the file info inside DB with base64 formate
the information that will be saved depends on the aide configuration file

example of default info for the Linux image file

let’s decode this

the content owner, file permission, inode, ACL, SELinux file policy

 

simple detection report

another report for custom folder permission changed to 777

 

in configuration file we set a variable called webmon to monitor modification of /var/www/html/n1x/

webmon = p+i+u+g+acl+selinux
/var/www/html/n1x webmon

the p+i+u+g+acl+selinux stands for permission , inode , user , group , acl , selinux

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.